I still playing with my own DB trying to learn and saw this:
-
I could change the root password without any problem at all… If I'm in the server I can create an algorithm to start testing password and and someday I will find it, I mean:
Web-Services-iMac-2:~ jbolivar$ mysqladmin -utest1 -p**SOME_THING_HERE** password test1
. -
is it ok to change password using this???:
update table mysql.user set password=PASSWORD('test') where user='test1';
beside that if I create a dictionary table (a table with all possible words) and apply PASSWORD("word") I can make a join and find the value of any pass, right?.
Can you give me your opinion about my analysis?
Best Answer
Before you continue playing with mysqladmin, you need to make sure your installation is not intentionally giving away access.
For starters, can you login to mysql like this?
If you can get just like that, run this command:
If CURRENT_USER() return a user and host where the user is blank, then you were allowed in as an anonymous user. At that point, you can remove anonymou users with this:
Now, locate all users with no password with this:
If any users have no password, you can issue new passwords for user using mysqladmin or you could just assign them as follows:
Now, check for remote users
If you see any, run this:
Make sure when all is said and done that at least root@localhost and/or root@127.0.0.1 exist and have a password
I could probably go on. Here are other posts I have about stuff like this: